Understanding Account Recovery Users

  1. Home /
    2. Company news /
  2. Understanding Account Recovery Users
Understanding Account Recovery Users
Company news

Understanding Account Recovery Users

Purpose

This article explains what an Account Recovery User (ACR) is in ServiceNow, why the feature exists, and the responsibilities associated with being designated as an ACR user.

What is an Account Recovery User (ACR)?

An Account Recovery User (ACR) is a designated user who can regain access to a ServiceNow instance when normal authentication methods are unavailable.

The ACR feature is designed as a “break-glass” recovery mechanism to help prevent administrative lockouts caused by authentication-related issues such as:

  • Misconfigured SAML Single Sign-On (SSO)
  • Identity Provider (IdP) outages
  • Authentication configuration errors
  • Certain Multi-Factor Authentication (MFA) issues

The primary purpose of an ACR user is to ensure that at least one trusted administrator can still access the instance and restore authentication services if a failure occurs.

What an ACR User Can Do

When enrolled as an Account Recovery User, a user can:

  • Use the Account Recovery process to regain access to their own account.
  • Access the instance when standard authentication methods are unavailable.
  • Repair authentication configurations if they already possess the required administrative permissions.

Examples include:

  • Correcting a broken SAML configuration.
  • Restoring authentication settings after an IdP outage.
  • Troubleshooting login issues that affect administrators.

What an ACR User Cannot Do

Being an ACR user does not grant additional permissions or roles.

An ACR user:

  • Does not automatically receive the Admin role.
  • Does not gain additional access beyond their existing permissions.
  • Cannot recover or take over other users’ accounts solely because they are an ACR user.
  • Cannot bypass ServiceNow authorization controls.

Account Recovery provides an alternative authentication path, not elevated privileges.

Example Scenario

Situation

An administrator enables a new SAML SSO configuration.

A configuration error prevents all administrators from logging in through the Identity Provider.

Without ACR

  • Administrators are locked out.
  • Authentication settings cannot be corrected.
  • Recovery may require emergency intervention from ServiceNow support.

With ACR

  • The designated ACR user initiates the Account Recovery process.
  • The ACR user regains access to the instance.
  • The ACR user logs in and corrects the SAML configuration.
  • Normal authentication is restored.

Security Considerations

Because ACR provides an alternative path into the instance, organizations should treat ACR accounts as highly sensitive.

Recommended practices include:

  • Limit the number of ACR users.
  • Assign ACR only to trusted administrators.
  • Require MFA enrollment.
  • Ensure ACR users maintain a local password.
  • Review ACR enrollment periodically.
  • Remove ACR designation when no longer required.

Frequently Asked Questions

Does becoming an ACR user make someone an administrator?

No. ACR does not grant the Admin role or any additional permissions.

Can any administrator become an ACR user?

Generally, users with the required administrative permissions can enroll as ACR users, subject to organizational governance and ServiceNow configuration requirements.

Can there be multiple ACR users?

Yes. Organizations may designate multiple ACR users, although the number should be kept to a minimum.

Should every administrator be an ACR user?

No. ACR should typically be limited to a small number of trusted administrators who are responsible for authentication and platform recovery.

Key Takeaway

An Account Recovery User is not a more powerful administrator. An ACR user is simply an authorized user who can recover access to the instance during authentication failures, allowing them to perform the duties they were already authorized to perform.

Author: Jens Van de Voorde